onContinuePostLogin: The session token is invalid: Unexpected token payload type

Hi,

I’m working on Post Login action that uses a redirect and then tries to access some data from an external website.

when calling validateToken I’m getting an error (“The session token is invalid: Unexpected token payload type”) and I don’t know exactly what the problem is.

The token I’m returning looks like this:

{
  "state": "hKF***",
  "favorite_color": "blue",
  "iat": 1660555965,
  "sub": "auth0|***",
  "iss": "***.azurewebsites.net",
  "exp": 1660556025
}

I’m signing the token with HS256 and a shared key both known to the action and the external service.

1 Like

Hi @felix.seidl,

Welcome to the Auth0 Community!

How are you creating the token? Can you give us a code snippet of your action?

Also have you tried checking your token with jwt.io to see if it is valid?

Let me know,
Dan

Hi @dan.woda,

Thanks for reaching out.

I’m using the ‘jose’ npm package to create the token on on the external site:

const secret = new TextEncoder().encode(shared_secret);
const jwt = await new jose.SignJWT({ state: stateParameter, favorite_color: "blue" }) // some dummy value
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setSubject(userId)
    .setIssuer('***.azurewebsites.net')
    .setExpirationTime('1m')
    .sign(secret);

the redirect back to auth0:

window.location.replace(`https://***.eu.auth0.com/continue?state=${stateParameter}&token=${token}`);

onContinuePostLogin:

const payload = api.redirect.validateToken({
      secret: event.secrets.sharedsecret,
      tokenParameterName: "token",
    });

I have checked the token on jwt.io but saw no problems.

Can you share (or DM) an example of the payload? This error suggests the payload is malformed.

I can reproduce this error with the payload from the example (favorite_color: "blue")

1 Like

I also receive this same error, using the same code as above. I verified it on jwt.io as well. Any help here? The error message isn’t giving back any additional context.

You just need to set the typ header alongside the alg header. You will need something like this: .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })

Then, your code would look like this:

const secret = new TextEncoder().encode(shared_secret);
const jwt = await new jose.SignJWT({ state: stateParameter, favorite_color: "blue" }) // some dummy value
    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
    .setIssuedAt()
    .setSubject(userId)
    .setIssuer('***.azurewebsites.net')
    .setExpirationTime('1m')
    .sign(secret);

I know it’s too late, but I’m leaving the answer for anyone else struggling with this.

1 Like

Thanks for sharing that with the rest of community!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.